Linux Permissions
rwx
Permissions
At a basic level, permissions in Linux are a relationship between users, groups, files, and directories. Users can belong to multiple groups and groups can have multiple users. Every file and directory defines its permissions in terms of a user, a group, and "others" (all other users).
Users
User accounts are configured in the /etc/passwd
file. User password hashes are stored in the /etc/shadow
file. Users are identified by an integer user ID (UID). The "root" user account is a special type of account in Linux. It has an UID of 0, and the system grants this user access to every file.
Groups
Groups are configured in the /etc/group
file. Users have a primary group, and can have multiple secondary (or supplementary) groups. By default, an user's primary group has the same name as their user account.
Files and Directories
All files & directories have a single owner and a group. Permissions are defined in terms of read, write, and execute operations. There are three sets of permissions, one for the owner, one for the group, and one for all "other" users (can also be referred to as "world"). Only the owner can change permissions.
File Permissions
File permissions are self explanatory:
Read
When set, the file contents can be read.
Write
When set, the file contents can be modified.
Execute
When set, the file can be executed (i.e. run as some kind of process).
Directory Permissions
Directory permissions are slightly more complicated:
Execute
When set, the directory can be entered. Without this permission, neither the read nor write permissions will work.
Read
When set, the directory contents can be listed.
Write
When set, files and subdirectories can be created in the directory.
Special Permissions
Setuid (SUID) bit
When set, files will get executed with the privileges of the file owner.
Setgid (SGID) bit
When set on a file, the file will get executed with the privileges of the file group.
When set on a directory, files created within that directory will inherit the group of the directory itself.
Viewing Permissions
The ls
command can be used to view permissions:
The first 10 characters indicate the permissions set on the file or directory. The first character simply indicates the type (e.g. -
for file, d
for directory). The remaining 9 characters represent the 3 sets of permissions (owner, group, others). Each set contains 3 characters, indicating the read (r
), write (w
), and execute (x
) permissions. SUID/SGID permissions are represented by an s
in the execute position.
Real, Effective, and Saved UID/GID
Each user has 3 user IDs in Linux (real, effective, and saved).
A user's real ID is who they actually are (the ID defined in /etc/passwd
). Ironically, the real ID is actually used less often to check a user's identity.
A user's effective ID is normally equal to their real ID, however when executing a process as another user, the effective ID is set to that user's real ID. The effective ID is used in most access control decisions to verify a user, and commands such as whoami use the effective ID.
Finally, the saved ID is used to ensure that SUID processes can temporarily switch a user's effective ID back to their real ID and back again without losing track of the original effective ID.
Examples
Print real and effective user/group IDs:
Print real, effective, saved, and file system user/group IDs of the current process (i.e. our shell):
Last updated